]>
Commit | Line | Data |
---|---|---|
29af4c13 | 1 | policy_module(ssh, 2.2.0) |
0404a390 CP |
2 | |
3 | ######################################## | |
4 | # | |
5 | # Declarations | |
6 | # | |
7 | ||
56e1b3d2 | 8 | ## <desc> |
1e2abee1 DG |
9 | ## <p> |
10 | ## allow host key based authentication | |
11 | ## </p> | |
56e1b3d2 | 12 | ## </desc> |
0bfccda4 | 13 | gen_tunable(allow_ssh_keysign, false) |
56e1b3d2 CP |
14 | |
15 | ## <desc> | |
1e2abee1 DG |
16 | ## <p> |
17 | ## Allow ssh logins as sysadm_r:sysadm_t | |
18 | ## </p> | |
56e1b3d2 | 19 | ## </desc> |
0bfccda4 | 20 | gen_tunable(ssh_sysadm_login, false) |
56e1b3d2 | 21 | |
3eaa9939 | 22 | ## <desc> |
1e2abee1 DG |
23 | ## <p> |
24 | ## allow sshd to forward port connections | |
25 | ## </p> | |
3eaa9939 DW |
26 | ## </desc> |
27 | gen_tunable(sshd_forward_ports, false) | |
28 | ||
919775fe MG |
29 | ## <desc> |
30 | ## <p> | |
31 | ## Allow ssh with chroot env to read and write files | |
32 | ## in the user home directories | |
33 | ## </p> | |
34 | ## </desc> | |
35 | gen_tunable(ssh_chroot_rw_homedirs, false) | |
36 | ||
f5dce57b | 37 | attribute ssh_dyntransition_domain; |
45239964 | 38 | attribute ssh_server; |
296273a7 | 39 | attribute ssh_agent_type; |
0404a390 | 40 | |
4c3a6f86 MG |
41 | ssh_dyntransition_domain_template(chroot_user_t) |
42 | ssh_dyntransition_domain_template(sshd_sandbox_t) | |
43 | ||
75beb950 | 44 | type ssh_keygen_t; |
0404a390 | 45 | type ssh_keygen_exec_t; |
0bfccda4 | 46 | init_system_domain(ssh_keygen_t, ssh_keygen_exec_t) |
0404a390 | 47 | |
e070dd2d | 48 | type sshd_exec_t; |
fb63d0b5 | 49 | corecmd_executable_file(sshd_exec_t) |
c3812748 | 50 | |
6b19be33 | 51 | ssh_server_template(sshd) |
0bfccda4 | 52 | init_daemon_domain(sshd_t, sshd_exec_t) |
6b19be33 | 53 | |
3eaa9939 DW |
54 | type sshd_initrc_exec_t; |
55 | init_script_file(sshd_initrc_exec_t) | |
56 | ||
375c2415 CP |
57 | type sshd_key_t; |
58 | files_type(sshd_key_t) | |
9ccd96df | 59 | |
296273a7 CP |
60 | type ssh_t; |
61 | type ssh_exec_t; | |
62 | typealias ssh_t alias { user_ssh_t staff_ssh_t sysadm_ssh_t }; | |
63 | typealias ssh_t alias { auditadm_ssh_t secadm_ssh_t }; | |
64 | application_domain(ssh_t, ssh_exec_t) | |
65 | ubac_constrained(ssh_t) | |
66 | ||
67 | type ssh_agent_exec_t; | |
68 | corecmd_executable_file(ssh_agent_exec_t) | |
69 | ||
70 | type ssh_agent_tmp_t; | |
71 | typealias ssh_agent_tmp_t alias { user_ssh_agent_tmp_t staff_ssh_agent_tmp_t sysadm_ssh_agent_tmp_t }; | |
72 | typealias ssh_agent_tmp_t alias { auditadm_ssh_agent_tmp_t secadm_ssh_agent_tmp_t }; | |
73 | files_tmp_file(ssh_agent_tmp_t) | |
74 | ubac_constrained(ssh_agent_tmp_t) | |
75 | ||
76 | type ssh_keysign_t; | |
77 | type ssh_keysign_exec_t; | |
78 | typealias ssh_keysign_t alias { user_ssh_keysign_t staff_ssh_keysign_t sysadm_ssh_keysign_t }; | |
79 | typealias ssh_keysign_t alias { auditadm_ssh_keysign_t secadm_ssh_keysign_t }; | |
80 | application_domain(ssh_keysign_t, ssh_keysign_exec_t) | |
81 | ubac_constrained(ssh_keysign_t) | |
82 | ||
83 | type ssh_tmpfs_t; | |
84 | typealias ssh_tmpfs_t alias { user_ssh_tmpfs_t staff_ssh_tmpfs_t sysadm_ssh_tmpfs_t }; | |
85 | typealias ssh_tmpfs_t alias { auditadm_ssh_tmpfs_t secadm_ssh_tmpfs_t }; | |
86 | files_tmpfs_file(ssh_tmpfs_t) | |
87 | ubac_constrained(ssh_tmpfs_t) | |
88 | ||
cde15072 CP |
89 | type ssh_home_t; |
90 | typealias ssh_home_t alias { home_ssh_t user_ssh_home_t user_home_ssh_t staff_home_ssh_t sysadm_home_ssh_t }; | |
91 | typealias ssh_home_t alias { auditadm_home_ssh_t secadm_home_ssh_t }; | |
cde15072 | 92 | userdom_user_home_content(ssh_home_t) |
8ba1f41a | 93 | files_poly_parent(ssh_home_t) |
296273a7 | 94 | |
4781493e DG |
95 | ifdef(`enable_mcs',` |
96 | init_ranged_daemon_domain(sshd_t, sshd_exec_t, s0 - mcs_systemhigh) | |
97 | ') | |
98 | ||
296273a7 CP |
99 | ############################## |
100 | # | |
101 | # SSH client local policy | |
102 | # | |
103 | ||
104 | allow ssh_t self:capability { setuid setgid dac_override dac_read_search }; | |
105 | allow ssh_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; | |
106 | allow ssh_t self:fd use; | |
107 | allow ssh_t self:fifo_file rw_fifo_file_perms; | |
8f471092 | 108 | allow ssh_t self:key read; |
296273a7 CP |
109 | allow ssh_t self:unix_dgram_socket { create_socket_perms sendto }; |
110 | allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto }; | |
111 | allow ssh_t self:shm create_shm_perms; | |
112 | allow ssh_t self:sem create_sem_perms; | |
113 | allow ssh_t self:msgq create_msgq_perms; | |
114 | allow ssh_t self:msg { send receive }; | |
cde15072 | 115 | allow ssh_t self:tcp_socket create_stream_socket_perms; |
64607462 | 116 | can_exec(ssh_t, ssh_exec_t) |
296273a7 CP |
117 | |
118 | # Read the ssh key file. | |
119 | allow ssh_t sshd_key_t:file read_file_perms; | |
120 | ||
296273a7 CP |
121 | manage_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) |
122 | manage_lnk_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
123 | manage_fifo_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
124 | manage_sock_files_pattern(ssh_t, ssh_tmpfs_t, ssh_tmpfs_t) | |
cde15072 | 125 | fs_tmpfs_filetrans(ssh_t, ssh_tmpfs_t, { dir file lnk_file sock_file fifo_file }) |
296273a7 | 126 | |
edc2f7de CP |
127 | manage_dirs_pattern(ssh_t, ssh_home_t, ssh_home_t) |
128 | manage_sock_files_pattern(ssh_t, ssh_home_t, ssh_home_t) | |
129 | userdom_user_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) | |
8f471092 | 130 | userdom_read_all_users_keys(ssh_t) |
3eaa9939 | 131 | userdom_stream_connect(ssh_t) |
726d3fd9 | 132 | userdom_search_admin_dir(sshd_t) |
70be862b | 133 | userdom_admin_home_dir_filetrans(ssh_t, ssh_home_t, { dir sock_file }) |
296273a7 CP |
134 | |
135 | # Allow the ssh program to communicate with ssh-agent. | |
136 | stream_connect_pattern(ssh_t, ssh_agent_tmp_t, ssh_agent_tmp_t, ssh_agent_type) | |
137 | ||
138 | allow ssh_t sshd_t:unix_stream_socket connectto; | |
5dd938af | 139 | allow ssh_t sshd_t:peer recv; |
296273a7 CP |
140 | |
141 | # ssh client can manage the keys and config | |
edc2f7de CP |
142 | manage_files_pattern(ssh_t, ssh_home_t, ssh_home_t) |
143 | read_lnk_files_pattern(ssh_t, ssh_home_t, ssh_home_t) | |
296273a7 CP |
144 | |
145 | # ssh servers can read the user keys and config | |
3eaa9939 DW |
146 | manage_dirs_pattern(ssh_server, ssh_home_t, ssh_home_t) |
147 | manage_files_pattern(ssh_server, ssh_home_t, ssh_home_t) | |
148 | userdom_user_home_dir_filetrans(ssh_server, ssh_home_t, dir) | |
149 | userdom_admin_home_dir_filetrans(ssh_server, ssh_home_t, dir) | |
296273a7 CP |
150 | |
151 | kernel_read_kernel_sysctls(ssh_t) | |
cde15072 | 152 | kernel_read_system_state(ssh_t) |
296273a7 CP |
153 | |
154 | corenet_all_recvfrom_unlabeled(ssh_t) | |
155 | corenet_all_recvfrom_netlabel(ssh_t) | |
668b3093 | 156 | corenet_tcp_sendrecv_generic_if(ssh_t) |
c1262146 | 157 | corenet_tcp_sendrecv_generic_node(ssh_t) |
296273a7 CP |
158 | corenet_tcp_sendrecv_all_ports(ssh_t) |
159 | corenet_tcp_connect_ssh_port(ssh_t) | |
160 | corenet_sendrecv_ssh_client_packets(ssh_t) | |
3eaa9939 DW |
161 | corenet_tcp_bind_generic_node(ssh_t) |
162 | corenet_tcp_bind_all_unreserved_ports(ssh_t) | |
2e52e8cf | 163 | corenet_rw_tun_tap_dev(ssh_t) |
296273a7 | 164 | |
8fd700fe | 165 | dev_read_rand(ssh_t) |
296273a7 CP |
166 | dev_read_urand(ssh_t) |
167 | ||
168 | fs_getattr_all_fs(ssh_t) | |
169 | fs_search_auto_mountpoints(ssh_t) | |
170 | ||
171 | # run helper programs - needed eg for x11-ssh-askpass | |
172 | corecmd_exec_shell(ssh_t) | |
173 | corecmd_exec_bin(ssh_t) | |
174 | ||
175 | domain_use_interactive_fds(ssh_t) | |
176 | ||
177 | files_list_home(ssh_t) | |
178 | files_read_usr_files(ssh_t) | |
179 | files_read_etc_runtime_files(ssh_t) | |
180 | files_read_etc_files(ssh_t) | |
181 | files_read_var_files(ssh_t) | |
182 | ||
183 | logging_send_syslog_msg(ssh_t) | |
184 | logging_read_generic_logs(ssh_t) | |
185 | ||
cde15072 CP |
186 | auth_use_nsswitch(ssh_t) |
187 | ||
296273a7 | 188 | miscfiles_read_localization(ssh_t) |
442a14fe | 189 | miscfiles_read_generic_certs(ssh_t) |
296273a7 CP |
190 | |
191 | seutil_read_config(ssh_t) | |
192 | ||
296273a7 CP |
193 | userdom_dontaudit_list_user_home_dirs(ssh_t) |
194 | userdom_search_user_home_dirs(ssh_t) | |
bebaa6a2 | 195 | userdom_search_admin_dir(ssh_t) |
296273a7 | 196 | # Write to the user domain tty. |
af2d8802 | 197 | userdom_use_inherited_user_terminals(ssh_t) |
3eaa9939 | 198 | # needs to read krb/write tgt |
296273a7 | 199 | userdom_read_user_tmp_files(ssh_t) |
3eaa9939 DW |
200 | userdom_write_user_tmp_files(ssh_t) |
201 | userdom_read_user_home_content_symlinks(ssh_t) | |
ded9692e | 202 | userdom_read_home_certs(ssh_t) |
ed2ac112 | 203 | userdom_home_manager(ssh_t) |
296273a7 CP |
204 | |
205 | tunable_policy(`allow_ssh_keysign',` | |
3c4ffa32 | 206 | domtrans_pattern(ssh_t, ssh_keysign_exec_t, ssh_keysign_t) |
296273a7 CP |
207 | ') |
208 | ||
296273a7 CP |
209 | # for port forwarding |
210 | tunable_policy(`user_tcp_server',` | |
211 | corenet_tcp_bind_ssh_port(ssh_t) | |
cde15072 | 212 | corenet_tcp_bind_generic_node(ssh_t) |
296273a7 CP |
213 | ') |
214 | ||
27608c5b DW |
215 | optional_policy(` |
216 | gnome_stream_connect_all_gkeyringd(ssh_t) | |
217 | ') | |
218 | ||
296273a7 CP |
219 | optional_policy(` |
220 | xserver_user_x_domain_template(ssh, ssh_t, ssh_tmpfs_t) | |
221 | xserver_domtrans_xauth(ssh_t) | |
222 | ') | |
223 | ||
3eaa9939 | 224 | |
296273a7 CP |
225 | ############################## |
226 | # | |
227 | # ssh_keysign_t local policy | |
228 | # | |
229 | ||
230 | tunable_policy(`allow_ssh_keysign',` | |
231 | allow ssh_keysign_t self:capability { setgid setuid }; | |
232 | allow ssh_keysign_t self:unix_stream_socket create_socket_perms; | |
233 | ||
7d1f5642 | 234 | allow ssh_keysign_t sshd_key_t:file read_file_perms; |
296273a7 | 235 | |
8fd700fe | 236 | dev_read_rand(ssh_keysign_t) |
296273a7 CP |
237 | dev_read_urand(ssh_keysign_t) |
238 | ||
239 | files_read_etc_files(ssh_keysign_t) | |
240 | ') | |
241 | ||
0404a390 CP |
242 | ################################# |
243 | # | |
244 | # sshd local policy | |
245 | # | |
246 | # sshd_t is the domain for the sshd program. | |
247 | # | |
248 | ||
6b19be33 CP |
249 | # so a tunnel can point to another ssh tunnel |
250 | allow sshd_t self:netlink_route_socket r_netlink_socket_perms; | |
251 | allow sshd_t self:key { search link write }; | |
3eaa9939 | 252 | allow sshd_t self:process setcurrent; |
44d5d93f | 253 | |
6b19be33 CP |
254 | kernel_search_key(sshd_t) |
255 | kernel_link_key(sshd_t) | |
256 | ||
c3c753f7 CP |
257 | term_use_all_ptys(sshd_t) |
258 | term_setattr_all_ptys(sshd_t) | |
3eaa9939 | 259 | term_setattr_all_ttys(sshd_t) |
c3c753f7 | 260 | term_relabelto_all_ptys(sshd_t) |
3eaa9939 | 261 | term_use_ptmx(sshd_t) |
296273a7 | 262 | |
6b19be33 CP |
263 | # for X forwarding |
264 | corenet_tcp_bind_xserver_port(sshd_t) | |
265 | corenet_sendrecv_xserver_server_packets(sshd_t) | |
266 | ||
3eaa9939 DW |
267 | userdom_read_user_home_content_files(sshd_t) |
268 | userdom_read_user_home_content_symlinks(sshd_t) | |
3eaa9939 | 269 | userdom_manage_tmp_role(system_r, sshd_t) |
4781493e DG |
270 | userdom_spec_domtrans_unpriv_users(sshd_t) |
271 | userdom_signal_unpriv_users(sshd_t) | |
919775fe | 272 | userdom_dyntransition_unpriv_users(sshd_t) |
4781493e DG |
273 | |
274 | tunable_policy(`sshd_forward_ports',` | |
275 | corenet_tcp_bind_all_unreserved_ports(sshd_t) | |
276 | corenet_tcp_connect_all_ports(sshd_t) | |
277 | ') | |
3eaa9939 | 278 | |
6b19be33 CP |
279 | tunable_policy(`ssh_sysadm_login',` |
280 | # Relabel and access ptys created by sshd | |
281 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
282 | # display the tty. | |
283 | # some versions of sshd on the new SE Linux require setattr | |
6b19be33 | 284 | userdom_signal_all_users(sshd_t) |
f39ff1fa | 285 | userdom_spec_domtrans_all_users(sshd_t) |
6b19be33 CP |
286 | ') |
287 | ||
57ce3836 | 288 | optional_policy(` |
5a1cc7f0 | 289 | amanda_search_var_lib(sshd_t) |
57ce3836 DW |
290 | ') |
291 | ||
cde15072 | 292 | optional_policy(` |
088b65e5 | 293 | daemontools_service_domain(sshd_t, sshd_exec_t) |
cde15072 CP |
294 | ') |
295 | ||
3eaa9939 DW |
296 | optional_policy(` |
297 | kerberos_keytab_template(sshd, sshd_t) | |
298 | ') | |
299 | ||
300 | optional_policy(` | |
301 | ftp_dyntrans_sftpd(sshd_t) | |
302 | ftp_dyntrans_anon_sftpd(sshd_t) | |
303 | ') | |
304 | ||
6b19be33 | 305 | optional_policy(` |
088b65e5 | 306 | inetd_tcp_service_domain(sshd_t, sshd_exec_t) |
6b19be33 CP |
307 | ') |
308 | ||
309 | optional_policy(` | |
3eaa9939 | 310 | nx_read_home_files(sshd_t) |
6b19be33 CP |
311 | ') |
312 | ||
313 | optional_policy(` | |
314 | rpm_use_script_fds(sshd_t) | |
315 | ') | |
316 | ||
317 | optional_policy(` | |
296273a7 | 318 | rssh_spec_domtrans(sshd_t) |
6b19be33 | 319 | # For reading /home/user/.ssh |
296273a7 | 320 | rssh_read_ro_content(sshd_t) |
6b19be33 CP |
321 | ') |
322 | ||
151056b0 MG |
323 | optional_policy(` |
324 | systemd_exec_systemctl(sshd_t) | |
325 | ') | |
326 | ||
3eaa9939 DW |
327 | optional_policy(` |
328 | usermanage_domtrans_passwd(sshd_t) | |
329 | usermanage_read_crack_db(sshd_t) | |
330 | ') | |
331 | ||
350b6ab7 | 332 | optional_policy(` |
350b6ab7 CP |
333 | unconfined_shell_domtrans(sshd_t) |
334 | ') | |
335 | ||
088b65e5 CP |
336 | optional_policy(` |
337 | xserver_domtrans_xauth(sshd_t) | |
338 | ') | |
339 | ||
6b19be33 | 340 | ifdef(`TODO',` |
1e2abee1 DG |
341 | tunable_policy(`ssh_sysadm_login',` |
342 | # Relabel and access ptys created by sshd | |
343 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
344 | # display the tty. | |
345 | # some versions of sshd on the new SE Linux require setattr | |
346 | allow sshd_t ptyfile:chr_file relabelto; | |
347 | ||
348 | optional_policy(` | |
349 | domain_trans(sshd_t, xauth_exec_t, userdomain) | |
350 | ') | |
351 | ',` | |
352 | optional_policy(` | |
353 | domain_trans(sshd_t, xauth_exec_t, unpriv_userdomain) | |
354 | ') | |
355 | # Relabel and access ptys created by sshd | |
356 | # ioctl is necessary for logout() processing for utmp entry and for w to | |
357 | # display the tty. | |
358 | # some versions of sshd on the new SE Linux require setattr | |
7d1f5642 | 359 | allow sshd_t userpty_type:chr_file { relabelto rw_inherited_chr_file_perms setattr_chr_file_perms }; |
5540e76a | 360 | ') |
6b19be33 | 361 | ') dnl endif TODO |
0404a390 | 362 | |
0404a390 CP |
363 | ######################################## |
364 | # | |
365 | # ssh_keygen local policy | |
366 | # | |
367 | ||
75beb950 CP |
368 | # ssh_keygen_t is the type of the ssh-keygen program when run at install time |
369 | # and by sysadm_t | |
0404a390 | 370 | |
3e23c54b | 371 | allow ssh_keygen_t self:capability dac_override; |
75beb950 CP |
372 | dontaudit ssh_keygen_t self:capability sys_tty_config; |
373 | allow ssh_keygen_t self:process { sigchld sigkill sigstop signull signal }; | |
75beb950 | 374 | allow ssh_keygen_t self:unix_stream_socket create_stream_socket_perms; |
0404a390 | 375 | |
c0868a7a | 376 | allow ssh_keygen_t sshd_key_t:file manage_file_perms; |
0bfccda4 | 377 | files_etc_filetrans(ssh_keygen_t, sshd_key_t, file) |
0404a390 | 378 | |
58c3d0e9 MG |
379 | manage_dirs_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) |
380 | manage_files_pattern(ssh_keygen_t, ssh_home_t, ssh_home_t) | |
381 | userdom_admin_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) | |
092a35ee | 382 | userdom_user_home_dir_filetrans(ssh_keygen_t, ssh_home_t, dir) |
58c3d0e9 | 383 | |
c1a9a532 | 384 | kernel_read_system_state(ssh_keygen_t) |
75beb950 | 385 | kernel_read_kernel_sysctls(ssh_keygen_t) |
0404a390 | 386 | |
75beb950 | 387 | fs_search_auto_mountpoints(ssh_keygen_t) |
ab940a4c | 388 | |
75beb950 | 389 | dev_read_sysfs(ssh_keygen_t) |
b76a6a16 | 390 | dev_read_rand(ssh_keygen_t) |
75beb950 | 391 | dev_read_urand(ssh_keygen_t) |
0404a390 | 392 | |
75beb950 | 393 | term_dontaudit_use_console(ssh_keygen_t) |
0404a390 | 394 | |
75beb950 | 395 | domain_use_interactive_fds(ssh_keygen_t) |
0404a390 | 396 | |
75beb950 | 397 | files_read_etc_files(ssh_keygen_t) |
0404a390 | 398 | |
75beb950 CP |
399 | init_use_fds(ssh_keygen_t) |
400 | init_use_script_ptys(ssh_keygen_t) | |
0404a390 | 401 | |
cde15072 CP |
402 | auth_use_nsswitch(ssh_keygen_t) |
403 | ||
75beb950 | 404 | logging_send_syslog_msg(ssh_keygen_t) |
0404a390 | 405 | |
75beb950 | 406 | userdom_dontaudit_use_unpriv_user_fds(ssh_keygen_t) |
0b0d648a | 407 | userdom_use_user_terminals(ssh_keygen_t) |
0404a390 | 408 | |
75beb950 CP |
409 | optional_policy(` |
410 | seutil_sigchld_newrole(ssh_keygen_t) | |
411 | ') | |
412 | ||
413 | optional_policy(` | |
414 | udev_read_db(ssh_keygen_t) | |
c0d1566a | 415 | ') |
919775fe | 416 | |
4c3a6f86 MG |
417 | #################################### |
418 | # | |
419 | # ssh_dyntransition domain local policy | |
420 | # | |
421 | ||
422 | allow ssh_dyntransition_domain self:capability { setuid sys_chroot setgid }; | |
423 | ||
424 | allow ssh_dyntransition_domain self:fifo_file rw_fifo_file_perms; | |
425 | ||
426 | optional_policy(` | |
427 | ssh_rw_stream_sockets(ssh_dyntransition_domain) | |
428 | ssh_rw_tcp_sockets(ssh_dyntransition_domain) | |
429 | ') | |
430 | ||
431 | ##################################### | |
432 | # | |
433 | # ssh_sandbox local policy | |
434 | # | |
435 | ||
436 | allow sshd_t sshd_sandbox_t:process signal; | |
437 | ||
438 | init_ioctl_stream_sockets(sshd_sandbox_t) | |
439 | ||
440 | logging_send_audit_msgs(sshd_sandbox_t) | |
441 | ||
919775fe MG |
442 | ###################################### |
443 | # | |
444 | # chroot_user_t local policy | |
445 | # | |
446 | ||
919775fe MG |
447 | |
448 | userdom_read_user_home_content_files(chroot_user_t) | |
449 | userdom_read_inherited_user_home_content_files(chroot_user_t) | |
450 | userdom_read_user_home_content_symlinks(chroot_user_t) | |
451 | userdom_exec_user_home_content_files(chroot_user_t) | |
452 | ||
453 | tunable_policy(`ssh_chroot_rw_homedirs',` | |
454 | files_list_home(chroot_user_t) | |
455 | userdom_read_user_home_content_files(chroot_user_t) | |
456 | userdom_manage_user_home_content(chroot_user_t) | |
457 | ', ` | |
458 | ||
459 | userdom_user_home_dir_filetrans_pattern(chroot_user_t, { dir file lnk_file }) | |
460 | ') | |
461 | ||
462 | tunable_policy(`ssh_chroot_rw_homedirs && use_nfs_home_dirs',` | |
463 | fs_manage_nfs_dirs(chroot_user_t) | |
464 | fs_manage_nfs_files(chroot_user_t) | |
465 | fs_manage_nfs_symlinks(chroot_user_t) | |
466 | ') | |
467 | ||
468 | tunable_policy(`ssh_chroot_rw_homedirs && use_samba_home_dirs',` | |
469 | fs_manage_cifs_dirs(chroot_user_t) | |
470 | fs_manage_cifs_files(chroot_user_t) | |
471 | fs_manage_cifs_symlinks(chroot_user_t) | |
472 | ') | |
473 | ||
8b6c8e05 | 474 | tunable_policy(`ssh_chroot_rw_homedirs && use_fusefs_home_dirs',` |
fbf13449 | 475 | fs_manage_fusefs_dirs(chroot_user_t) |
8b6c8e05 | 476 | fs_manage_fusefs_files(chroot_user_t) |
fbf13449 | 477 | fs_manage_fusefs_symlinks(chroot_user_t) |
8b6c8e05 MG |
478 | ') |
479 | ||
919775fe MG |
480 | tunable_policy(`use_samba_home_dirs',` |
481 | fs_read_cifs_files(chroot_user_t) | |
482 | fs_read_cifs_symlinks(chroot_user_t) | |
483 | ') | |
484 | ||
ed2ac112 | 485 | userdom_home_manager(chroot_user_t) |
8b6c8e05 | 486 | |
919775fe | 487 | optional_policy(` |
919775fe MG |
488 | ssh_rw_dgram_sockets(chroot_user_t) |
489 | ') |